Re: os x 10.2.x has 8 character password limit

["Kurt Seifried" <listuser () seifried org>]

When computing power/storage was at a premium things like crypt() worked
fine, if you'd suggested a multi-gigabyte table of crypt()'ed dictionary
words most people would have said "nice, but not doable right now". Well the
times, they change. Now many versions of UNIX use PAM, pluggable
authentication modules. An article I wrote for sysadmin magazine a while ago
covers PAM:

http://www.samag.com/documents/s=1161/sam0009a/0009a.htm

The thing with PAM is you have much more flexibility in your authentication
backend, once an application is PAM'ified (basically all are now) you can
use whatever you want, as long as PAM supports it (and PAM supports most
anything). This has lead to MD5/etc hashes rather then crypt(), which
provides the ability to use much longer passwords, or things like
smartcards/biometrics/radius/kerberos/etc (without having to tear apart the
program doing the authentication to insert support).

Now according to Apple's docs, such as:

http://www.apple.com/macosx/pdfs/MacOSX_for_UNIX_users_TB.pdf

Mac OS X supports PAM. According to some other docs you can stipulate the
password length in Mac OS X 10.2 and up, perhaps they use a default of 8
characters since "that's how UNIX used to work". My Mac's are all off for
the night, or I'd make an attempt to look at the actual password storage to
see how it is kept.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html